Skip to main content

Using LDAP

If LDAP is used in your environment for name services, you need to work with your LDAP administrator to determine requirements and appropriate storage system configurations, then enable the SVM as an LDAP client.

  • Before configuring LDAP for ONTAP, you should verify that your site deployment meets best practices for LDAP server and client configuration. In particular, the following conditions must be met:

    • The domain name of the LDAP server must match the entry on the LDAP client.

    • The LDAP user password hash types supported by the LDAP server must include those supported by ONTAP:
      • CRYPT (all types) and SHA-1 (SHA, SSHA).
      • Beginning with ONTAP 9.8, SHA-2 hashes (SHA-256, SSH-384, SHA-512, SSHA-256, SSHA-384, and SSHA-512) are also supported.

    • If the LDAP server requires session security measures, you must configure them in the LDAP client.

      The following session security options are available:

      • LDAP signing (provides data integrity checking) and LDAP signing and sealing (provides data integrity checking and encryption)

      • LDAP over TLS (encryption)

    • To enable signed and sealed LDAP queries, the following services must be configured:

      • LDAP servers must support the GSSAPI (Kerberos) SASL mechanism.

      • LDAP servers must have DNS A/AAAA records as well as PTR records set up on the DNS server.

      • Kerberos servers must have SRV records present on the DNS server.

    • To enable TLS encrypted LDAP queries, the following services must be configured:

      • The LDAP server must be enabled for TLS.

        As of ONTAP 9.4, SSL is no longer supported.

      • A certificate server must already be configured in the domain.

    • To enable LDAP referral chasing (in ONTAP 9.5 and later), the following conditions must be satisfied:

      • Both domains should be configured with one of the following trust relationships:

        • Two-way

        • One-way, where the primary trusts the referral domain

        • Parent-child

      • DNS must be configured to resolve all referred server names.

      • Domain passwords should be same to authenticate when –bind-as-cifs-server set to true.

      Note
      The following configurations are not currently supported with LDAP referral chasing:

      For all ONTAP versions:

      • LDAP clients on an admin SVM

      For ONTAP 9.8 and earlier:

      • LDAP signing and sealing (the -session-security option)

      • Encrypted TLS connections (the -use-start-tls option)

      • Communications over LDAPS port 636 (the -use-ldaps-for-ad-ldap option)

  • You must enter an LDAP schema when configuring the LDAP client on the SVM.

    In most cases, one of the default ONTAP schemas will be appropriate. However, if the LDAP schema in your environment differs from these, you must create a new LDAP client schema for ONTAP before creating the LDAP client. Consult with your LDAP administrator about requirements for your environment.

  • Using LDAP for host name resolution is not supported.

  1. Creating a new LDAP client schema
    If the LDAP schema in your environment differs from the ONTAP defaults, you must create a new LDAP client schema for ONTAP before creating the LDAP client configuration.
  2. Installing the self-signed root CA certificate on the SVM
    If LDAP authentication with TLS is required when binding to LDAP servers, you must first install the self-signed root CA certificate on the SVM.
  3. Creating an LDAP client configuration
    If you want ONTAP to access the external LDAP servers in your environment, you must first set up an LDAP client on the storage system.
  4. Associating the LDAP client configuration with SVMs
    To enable LDAP on an SVM, you must use the vserver services name-service ldap create command to associate an LDAP client configuration with the SVM.
  5. Verifying LDAP sources in the name service switch table
    You must verify that LDAP sources for name services are listed correctly in the name service switch table for the SVM.